From 71d19f7e8ec98134ee7b2aede42c6aed2fb0bffd Mon Sep 17 00:00:00 2001 From: Pat Ledgerwood Date: Thu, 15 Aug 2024 11:36:00 -0400 Subject: [PATCH 1/7] feat: add kubectl & utils to ompp image --- ompp-run-ubuntu/Dockerfile | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/ompp-run-ubuntu/Dockerfile b/ompp-run-ubuntu/Dockerfile index 82af119..3e37f7c 100644 --- a/ompp-run-ubuntu/Dockerfile +++ b/ompp-run-ubuntu/Dockerfile @@ -41,12 +41,26 @@ RUN echo "ulimit -S -s 65536" >> etc/bash.bashrc && \ apt-get update && \ apt-get install -y \ apt-utils \ + curl \ + jq \ + htop \ + tree \ + zip \ sqlite3 \ openmpi-bin \ unixodbc && \ apt-get upgrade -y && \ rm -rf /var/lib/apt/lists/* +ARG KUBECTL_VERSION=v1.28.2 +ARG KUBECTL_URL=https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl +ARG KUBECTL_SHA=c922440b043e5de1afa3c1382f8c663a25f055978cbc6e8423493ec157579ec5 + +RUN curl -LO "${KUBECTL_URL}" \ + && echo "${KUBECTL_SHA} kubectl" | sha256sum -c - \ + && chmod +x ./kubectl \ + && sudo mv ./kubectl /usr/local/bin/kubectl + # set local openM++ timezone RUN rm -f /etc/localtime && \ ln -s /usr/share/zoneinfo/America/Toronto /etc/localtime From 37f8dc42d07034f3a02f01d354a4750ca00553c4 Mon Sep 17 00:00:00 2001 From: Pat Ledgerwood Date: Thu, 15 Aug 2024 11:42:26 -0400 Subject: [PATCH 2/7] fix: remove sudo --- ompp-run-ubuntu/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ompp-run-ubuntu/Dockerfile b/ompp-run-ubuntu/Dockerfile index 3e37f7c..7ad1813 100644 --- a/ompp-run-ubuntu/Dockerfile +++ b/ompp-run-ubuntu/Dockerfile @@ -59,7 +59,7 @@ ARG KUBECTL_SHA=c922440b043e5de1afa3c1382f8c663a25f055978cbc6e8423493ec157579ec5 RUN curl -LO "${KUBECTL_URL}" \ && echo "${KUBECTL_SHA} kubectl" | sha256sum -c - \ && chmod +x ./kubectl \ - && sudo mv ./kubectl /usr/local/bin/kubectl + && mv ./kubectl /usr/local/bin/kubectl # set local openM++ timezone RUN rm -f /etc/localtime && \ From e3f99ee75cd38276958eedbd7bee3856ff649c90 Mon Sep 17 00:00:00 2001 From: Pat Ledgerwood Date: Thu, 15 Aug 2024 11:58:18 -0400 Subject: [PATCH 3/7] fix: replace dockle with hadolint --- .github/workflows/build.yml | 16 +++++++--------- .github/workflows/publish.yml | 16 +++++++--------- 2 files changed, 14 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 98c0711..e2007d8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,6 +26,7 @@ jobs: build: env: TRIVY_VERSION: "v0.43.1" + HADOLINT_VERSION: "2.12.0" needs: listimages strategy: fail-fast: false @@ -51,12 +52,9 @@ jobs: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL - # Run Dockle - - name: Run dockle - uses: goodwithtech/dockle-action@main - with: - image: localhost:5000/${{ matrix.image }}:${{ github.sha }} - format: 'list' - exit-code: '0' - exit-level: 'fatal' - ignore: 'DKL-DI-0006' + # Run Hadolint + - name: Run Hadolint + run: | + sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint + sudo chmod +x hadolint + ./hadolint output/${{ matrix.notebook }}/Dockerfile --no-fail diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index af75cc8..3c003d2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -33,6 +33,7 @@ jobs: build: env: TRIVY_VERSION: "v0.43.1" + HADOLINT_VERSION: "2.12.0" needs: listimages strategy: fail-fast: false @@ -65,15 +66,12 @@ jobs: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL - # Run Dockle - - name: Run dockle - uses: goodwithtech/dockle-action@main - with: - image: localhost:5000/${{ matrix.image }}:${{ github.sha }} - format: 'list' - exit-code: '0' - exit-level: 'fatal' - ignore: 'DKL-DI-0006' + # Run Hadolint + - name: Run Hadolint + run: | + sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint + sudo chmod +x hadolint + ./hadolint output/${{ matrix.notebook }}/Dockerfile --no-fail # Container build and push to a Azure Container registry (ACR) - run: | From e13bf52d817b6dbcc2051765c967cafe787fa6bb Mon Sep 17 00:00:00 2001 From: Pat Ledgerwood Date: Thu, 15 Aug 2024 12:07:13 -0400 Subject: [PATCH 4/7] fix: generate dockerfiles for hadolint --- .github/workflows/build.yml | 4 ++++ .github/workflows/publish.yml | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e2007d8..3fd41c7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -52,6 +52,10 @@ jobs: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL + # Image building/storing locally + - name: Make Dockerfiles + run: make generate-dockerfiles + # Run Hadolint - name: Run Hadolint run: | diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3c003d2..967a221 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -65,7 +65,11 @@ jobs: run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL - + + # Image building/storing locally + - name: Make Dockerfiles + run: make generate-dockerfiles + # Run Hadolint - name: Run Hadolint run: | From f13254c703c338c83793554008ed0047040d2e51 Mon Sep 17 00:00:00 2001 From: Pat Ledgerwood Date: Thu, 15 Aug 2024 12:14:04 -0400 Subject: [PATCH 5/7] fix: hadolint find dockerfile --- .github/workflows/build.yml | 6 +----- .github/workflows/publish.yml | 6 +----- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3fd41c7..2656f43 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -52,13 +52,9 @@ jobs: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL - # Image building/storing locally - - name: Make Dockerfiles - run: make generate-dockerfiles - # Run Hadolint - name: Run Hadolint run: | sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint sudo chmod +x hadolint - ./hadolint output/${{ matrix.notebook }}/Dockerfile --no-fail + ./hadolint ${{ matrix.image }}/Dockerfile --no-fail diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 967a221..2f9a2eb 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -66,16 +66,12 @@ jobs: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL - # Image building/storing locally - - name: Make Dockerfiles - run: make generate-dockerfiles - # Run Hadolint - name: Run Hadolint run: | sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint sudo chmod +x hadolint - ./hadolint output/${{ matrix.notebook }}/Dockerfile --no-fail + ./hadolint ${{ matrix.image }}/Dockerfile --no-fail # Container build and push to a Azure Container registry (ACR) - run: | From b5362c837016dd1e5d226d294e42727e42e698d3 Mon Sep 17 00:00:00 2001 From: Pat Ledgerwood Date: Fri, 16 Aug 2024 14:34:25 -0400 Subject: [PATCH 6/7] feat: add openssh for mpi-operator v2 --- ompp-run-ubuntu/Dockerfile | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/ompp-run-ubuntu/Dockerfile b/ompp-run-ubuntu/Dockerfile index 7ad1813..ffc4e23 100644 --- a/ompp-run-ubuntu/Dockerfile +++ b/ompp-run-ubuntu/Dockerfile @@ -52,6 +52,7 @@ RUN echo "ulimit -S -s 65536" >> etc/bash.bashrc && \ apt-get upgrade -y && \ rm -rf /var/lib/apt/lists/* +# Install kubectl cli to be able to utilize file transfer functionality between containers ARG KUBECTL_VERSION=v1.28.2 ARG KUBECTL_URL=https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl ARG KUBECTL_SHA=c922440b043e5de1afa3c1382f8c663a25f055978cbc6e8423493ec157579ec5 @@ -65,6 +66,19 @@ RUN curl -LO "${KUBECTL_URL}" \ RUN rm -f /etc/localtime && \ ln -s /usr/share/zoneinfo/America/Toronto /etc/localtime +# Install OpenSSH for MPI to communicate between containers +RUN apt-get install -y --no-install-recommends openssh-client openssh-server && \ + mkdir -p /var/run/sshd + +# Allow OpenSSH to talk to containers without asking for confirmation +# by disabling StrictHostKeyChecking. +# mpi-operator mounts the .ssh folder from a Secret. For that to work, we need +# to disable UserKnownHostsFile to avoid write permissions. +# Disabling StrictModes avoids directory and files read permission checks. +RUN sed -i 's/[ #]\(.*StrictHostKeyChecking \).*/ \1no/g' /etc/ssh/ssh_config && \ + echo " UserKnownHostsFile /dev/null" >> /etc/ssh/ssh_config && \ + sed -i 's/#\(StrictModes \).*/\1no/g' /etc/ssh/sshd_config + # Done with installation # set user, work directory and entry point # From 60c17e74b8d99ad9a1350f5859b86177667724d8 Mon Sep 17 00:00:00 2001 From: Pat Ledgerwood <32804494+vexingly@users.noreply.github.com> Date: Fri, 16 Aug 2024 15:07:37 -0400 Subject: [PATCH 7/7] fix: apt-get update cmd --- ompp-run-ubuntu/Dockerfile | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/ompp-run-ubuntu/Dockerfile b/ompp-run-ubuntu/Dockerfile index ffc4e23..58ac0f9 100644 --- a/ompp-run-ubuntu/Dockerfile +++ b/ompp-run-ubuntu/Dockerfile @@ -37,9 +37,11 @@ ARG DEBIAN_FRONTEND=noninteractive # For OncoSim MPI inject to the default bashrc as non other exist, can change later RUN echo "ulimit -S -s 65536" >> etc/bash.bashrc && \ -# update base image, install dependencies, cleanup +# update base image, install dependencies, cleanup, install OpenSSH for MPI to communicate between containers apt-get update && \ apt-get install -y \ + openssh-client \ + openssh-server \ apt-utils \ curl \ jq \ @@ -64,18 +66,14 @@ RUN curl -LO "${KUBECTL_URL}" \ # set local openM++ timezone RUN rm -f /etc/localtime && \ - ln -s /usr/share/zoneinfo/America/Toronto /etc/localtime - -# Install OpenSSH for MPI to communicate between containers -RUN apt-get install -y --no-install-recommends openssh-client openssh-server && \ - mkdir -p /var/run/sshd - + ln -s /usr/share/zoneinfo/America/Toronto /etc/localtime && \ + mkdir -p /var/run/sshd && \ # Allow OpenSSH to talk to containers without asking for confirmation # by disabling StrictHostKeyChecking. # mpi-operator mounts the .ssh folder from a Secret. For that to work, we need # to disable UserKnownHostsFile to avoid write permissions. # Disabling StrictModes avoids directory and files read permission checks. -RUN sed -i 's/[ #]\(.*StrictHostKeyChecking \).*/ \1no/g' /etc/ssh/ssh_config && \ + sed -i 's/[ #]\(.*StrictHostKeyChecking \).*/ \1no/g' /etc/ssh/ssh_config && \ echo " UserKnownHostsFile /dev/null" >> /etc/ssh/ssh_config && \ sed -i 's/#\(StrictModes \).*/\1no/g' /etc/ssh/sshd_config @@ -104,4 +102,4 @@ USER $OMPP_USER SHELL ["/bin/bash"] # default command check MPIEXEC verson, when used as a kubernetes container override with custom mpiexec execution -CMD mpiexec -V && ulimit -S -s \ No newline at end of file +CMD mpiexec -V && ulimit -S -s